Inside the M&S cyber attack, and its impact on you

A wake-up call for retail and consumers

When it comes to cyber breaches, no company is too big or too traditional, as highlighted by recent events. Both M&S and Co-op have been targeted by cyber criminals, and are facing no end of issues as a result.

There’s a lot to be learned from these two cyber attacks, no matter who you are or what size of business you have, so let’s dive in and take a look at how they happened, and some things you need to be vigilant for as a result, to avoid your own potential dalliance with the hackers.

The anatomy of a retail cyber attack

Not just a cyber attack, an M&S cyber attack

Both M&S and Co-op were hit with what’s called a ransomware attack.This is where the hackers take a copy of a company’s data and scramble it, block access to their own systems, and then attempt to extory money for both unscrambling, and then deleting, their copy of the data.

Although M&S hasn’t launched full details of how the attack happened, the National Cyber Security Centre has revealed that criminals launching attacks on UK retail are impersonating IT help desks in order to glean the information they need in order to gain access.

This method of attack is called social engineering, and it’s so named because the gathering information to gain access involves impersonating people to trick others into revealing sensitive information by using psychological tactics and human interaction that might be hard to spot as suspicious until it’s too late, especially if there’s a lack of training in the areas the hackers are looking to hit.

On Monday 13th of May, three weeks after the initial attack, M&S announced the customer data that could have been impacted by the incident. This includes:

name
date of birth
telephone number
home address
household information
email address
online order history

Although the retailer said that any card details wouldn’t be able to used due to not storing full card details on their systems, this information gives hackers quite a lot of information ‘puzzle pieces’, which when pieced together with financial information could be catastrophic.

How has this impacted M&S’ business?

So far, the pause to online orders, click and collect, and the initial problems inside stores with contactless payments has cost M&S millions of pounds, as well as a reduction in share price, and the issue is still ongoing, with certain business operations being taken offline in order to reduce the continued impact on customers.

Advice for individuals

Whether or not you’re an M&S customer, but especially if you are, the biggest thing to look out for are phishing scams impersonating M&S or Co-op. If someone calls you pretending to be either of them, then it probably isn’t! Especially if they’re pushing you to give them financial information.

Remember, someone who is legitimately calling won’t get angry if you tell them you’re going to put the phone down and ring the number from elsewhere. Someone who is trying to scam, will be persistent, insistent, and will maybe get crabby if you’re not giving them what they need quick enough.

Some other practical steps you can take

Be wary of suspicious messages or links, change passwords – especially if the one you were using for M&S has been used elsewhere, keep an eye for any unusual activity on accounts, and make sure you’ve enabled multi-factor authentication wherever you possibly can.

What can other businesses learn from this?

Even major retailers are vulnerable, especially through social engineering. The weakness wasn’t in technology, it was in the exploitation of human nature!

This highlights that employee awareness and strong identity access controls are essential. The ability to change passwords of accounts that have a high level of access needs to have a strong process that goes through multiple channels.

Ultimately, cyber security isn’t just about tech, it’s about behaviour, policies, and preparedness.

How can businesses guard against similar attacks?

Regular team training

Make sure everyone in the business is well-versed on phishing and social engineering

Review access

Who has access to sensitive systems like payment, customer details, or the back end of the website? Do they need them? Ensure only those who need access are the ones to have it. This reduces the number of potential access points for hackers.

Ensure frequent updates

Make sure all updates are completed in a timely manner, they often include security patches that could be akin to slamming a door and locking it in front of a cyber criminal, not doing so could be equivalent to leaving it open and inviting them in!

Have a plan

Not everyone has a full disaster recovery plan, especially smaller businesses. And while we’d like everyone to have one, even having a short incident response plan in place is a great idea. That way in the event of a hacking event, everyone will be on the same page with what they should be doing.

Don’t wait for a breach to get serious about security

The real-world impact on businesses like M&S and Co-op are huge, but as they’re both massive, they should be able to take the big hit. Could your business survive if the same happened to you, shutting down business operations and demanding an obscene amount of money for access to your data back?

If it all feels a bit overwhelming, please don’t worry – that’s what we’re here for! Get in touch, and we’ll have a chat about any concerns you have, your current security setup, and how it could be improved. From team training when it comes to spotting phishing attacks and not falling for social engineering tactics, to ensuring everyone’s account has the right access permissions, we’re here to help keep you as safe as possible.